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Abstract. We consider the reachability problem for timed automata. 
A standard solution to this problem involves computing a search tree 
whose nodes are abstractions of zones. For efficiency reasons, they are 
parametrized by the maximal lower and upper bounds (LU -bounds) oc- 
curring in the guards of the automaton. We propose an algorithm that 
is updating Lt/-bounds during exploration of the search tree. In order to 
keep them as small as possible, the bounds are refined only when they 
enable a transition that is impossible in the unabstracted system. So our 
algorithm can be seen as a kind of lazy CEGAR algorithm for timed 
automata. We show that on several standard benchmarks, the algorithm 
is capable of keeping very small LC/-bounds, and in consequence reduce 
the search space substantially. 

1 Introduction 

Timed automata are obtained from finite automata by adding clocks that can 
be reset and whose values can be compared with constants. The reachability 
problem asks if a given target state is reachable from the initial state by the 
execution of a given automaton. The standard solution to this problem involves 
computing, so called, zone graph of the automaton, and the use of abstractions 
to make the algorithm both terminating and more efficient. 

Most abstractions are based on constants used in comparisons of clock values. 
Such abstractions have already been considered in the seminal paper of Alur 
and Dill |AD94) . Behrmann et. al. BBLP06] have proposed abstractions based 
on so called L£/-bounds, that are functions giving for every clock a maximal 
constant in a lower, respectively upper bound, constraint in the automaton. In 
a recent paper |HSW12| we have shown how to efficiently use a^ LU abstraction 
from [BBLP06 . Moreover, a^ LU has been proved to be the biggest abstraction 
that is sound for all automata with given L/7-bounds. Since a^ LU abstraction 
of a zone can result in a non-convex set, we have shown in op. cit. how to use 
this abstraction without the need to store the result of the abstraction. This 
opens new algorithmic possibilities because changing iC/-bounds becomes very 
cheap as abstractions need not be recalculated. In this paper we explore these 
possibilities. 

The algorithm we propose works as follows. It constructs a graph with nodes 
of the form (q, Z, LU), where q is a state of the automaton, Z is a zone, and 
LU are parameters for the abstraction. It starts with the biggest abstraction: 
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LU bounds are set to — oo which makes a^ LU (Z) to be the set of all valuations 
for every nonempty Z. The algorithm explores the zone graph using standard 
transition relation on zones, without modifying LU bounds till it encounters 
a disabled transition. More concretely, till it reaches a node (q, Z, LU) such 
that there is a transition from q that is not possible from [q, Z) because no 
valuation in Z allows to take it. At this point we need to adjust LU bounds so 
that the transition is not possible from a^ LU (Z) either. This adjustment is then 
propagated backwards through already constructed part of the graph. 

The real challenge is to limit the propagation of bound updates. For this, if 
the bounds have changed in a node (q 1 , Z' , L'U') then we consider its predecessor 
nodes (q, Z, LU) and update its LU bounds as a function of Z, Z' and L'U' . We 
give general conditions for correctness of such an update, and a concrete efficient 
algorithm implementing it. This requires getting into a careful analysis of the 
influence of the transition on the zone Z. In the result we obtain an algorithm 
that exhibits exponential gains on some standard benchmarks. 

We have analyzed the performance of our algorithm theoretically as well as 
empirically. We have compared it with static analysis algorithm that is the state- 
of-the-art algorithm implemented in UPPAAL, and with an algorithm we have 
proposed in [HKSWll]. The later improves on the static analysis algorithm by 
considering only the reachable part of the zone graph. For an example borrowed 
from LNZ05] we have proved that the algorithm presented here produces a 
linear size search graph while for the other two algorithms, the search graph 
is exponential in the size of the model. For the classic FDDI benchmark, that 
has been tested on just about every algorithm for the reachability problem, our 
algorithm shows rather surprising fact that the time is almost irrelevant. There 
is only one constraint that induces LU bounds, and in consequence the abstract 
search graph constructed by our algorithm is linear in the size of the parameter 
of FDDI. 

Our algorithm can be seen as a kind of CEGAR algorithm similar in the 
spirit to HJMS02 , but then there are also major differences. In the particular 
setting of timed automata the information available is much richer, and we need 
to use it in order to obtain a competitive algorithm. First, we do not need to wait 
till a whole path is constructed to analyze if it is spurious or not. Once we decide 
to keep zones in nodes we can immediately detect if an abstraction is too large: 
it is when it permits a transition not permitted from the zone itself. Next, the 
abstractions we use are highly specialized for the reachability problem. Finally, 
the propagation of bound changes gets quite sophisticated because it can profit 
from the large amount of useful information in the exploration graph. 

Related work Forward analysis is the main approach for the reachability testing 
of real-time systems. The use of zone-based abstractions for termination has been 
introduced in [DT98] . The notion of LU -bounds and inference of these bounds 
by static analysis of an automaton have been proposed in [BBFL03 BBL P06j . 
The fl^tL/ approximation has been introduced in [BBLP06] . An approxima- 
tion method based on LU-bounds, called Extra~^ U: is used in the current im- 
plementation of UPPAAL [BDL+06] . In |HSW12j we have shown how to effi- 
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ciently use a^ LU approximation. We have also proposed an _LJ7-propagation algo- 
rithm [rIKS WIl] that can be seen as applying the static analysis from BBFL03 
on the zone graph instead of the graph of the automaton; moreover this inference 
is done on-the-fly during construction of the zone graph. In the present paper 
we do much hner inference and propagation of LU -bounds. 

Approximation schemes for analysis of timed-automata have been considered 
almost immediately after introduction of the concept of timed automata, as for 
example in [WT94 DWT95] or |Sor04j . In particular, the later citation proposes 
to abstract the region graph by not considering all the constraints involved in 
the definition of a region. When a spurious counterexample is discovered a new 
constraint is added. So in the worst case the whole region graph will be con- 
structed. Our algorithm in the worst case constructs an a^^-abstracted zone 
graph with LU-bouuds obtained by static analysis. This is as good as state- 
of-the-art method used in UPPAAL. Another slightly related paper is BLR05 
where CEGAR approach is used to handle diagonal constraints. 

Let us mention that abstractions are not needed in backward exploration 
of timed systems. Nevertheless, any feasible backward analysis approach needs 
to simplify constraints. For example |MPSllj does not use approximations and 
relies on an SMT solver instead. This approach, or the approach of RED [Wa n04| . 
are very difficult to compare with the forward analysis approach we study here. 

Organization of the paper In the preliminaries section we introduce all standard 
notions we will need, and a^ LU abstraction in particular. Section [3] gives a defi- 
nition of adaptive simulation graph (ASG). Such a graph represents the search 
space of a forward reachability testing algorithm that will search for an abstract 
run with respect to a^ LU abstraction, while changing LU-bouuds dynamically 
during exploration. Section [4] gives an algorithm for constructing an ASG with 
small I/Z7-bounds. Section [BTpresents the two crucial functions used in the algo- 
rithm: the one updating the bounds due to disabled edges, and the one propa- 
gating the change of bounds. Section [6] explains some advantages of algorithm 
on variations of an example borrowed from LNZ05J. The experiments section 
compares our prototype tool with UPPAAL, and our algorithm from |HKSWlT] . 
Conclusions section gives some justification for our choice of concentrating on 
LU-bouuds. 

2 Preliminaries 

2.1 Timed automata and the reachability problem 

Let A be a set of clocks, i.e., variables that range over K>o, the set of non- 
negative real numbers. A clock constraint is a conjunction of constraints x#c for 
x € A, # € {<, <, =, >, >} and c e N, e.g. (x < 3 A y > 0). Let <P(X) denote 
the set of clock constraints over clock variables X. A clock valuation over A is a 
function v : X — > K>o- We denote R> the set of clock valuations over A, and 
the valuation that associates to every clock in X. We write v \= <p when v 
satisfies 4> G ^(A), i.e. when every constraint in cf) holds after replacing every x 
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by v(x). For S £ M>o 7 let v + 5 be the valuation that associates v(x) + 5 to every 
clock x. For R C X, let [R]v be the valuation that sets x to if x £ R, and that 
sets x to v(x) otherwise. 

A timed automaton (TA ) is a tuple A = (Q, qa, X, T, Acc) where Q is a finite 
set of states, qo £ Q is the initial state, X is a finite set of clocks, Acc C Q is a 
set of accepting states, and T C Q x <P(X) x 2 X x Q is a finite set of transitions 
(<7, <?, i?, g') where g is a guard, and i? is the set of clocks that are reset on the 
transition. 

A configuration of A is a pair (g, u) £ Q x IR> and (go,0) is the initial 
configuration. We have two kinds of transitions: 
Delay: (g, v) — ^ A (g, v + 6) for some <5 £ IR>o; 

Action: (g, t>) — >* (g, w') for some transition t = (q, g, R, q') £ T such that v\= g 
and v' — [R]v. 

A run of is a finite sequence of transitions starting from the initial configu- 
ration (q , 0). Without loss of generality, we can assume that the first transition 
is a delay transition and that delay and action transitions alternate. We write 

(q, v) — > (q' , v') if there is a delay transition (q, v) — > 5 (q, v + 5) followed by an 
action transition (q, v + 6) — (q 1 , v'). So a run of A can be written as: 

((fojUo) (ffljVl) (<?2,t'2) • ■ ■ (q n ,V n ) 

where (qo,vo) represents the initial configuration (go,0). 

A run is accepting if it ends in a configuration (q n ,v n ) with q n £ Acc. 

Definition 1 (Reachability problem). The reachability problem for timed 
automata is to decide whether there exists an accepting run of a given automaton. 

This problem is known to be PsPACE-complete |AD94ICY92] . The class of TA 
we consider is usually known as diagonal-free TA since clock comparisons like 
x — y < 1 are disallowed. Notice that if we are interested in state reachability, 
considering timed automata without state invariants does not entail any loss of 
generality as the invariants can be added to the guards. For state reachability, 
we can also consider automata without transition labels. 

2.2 Zones and symbolic runs 

Here we introduce zones that are sets of valuations defined by simple linear 
constraints. We also define symbolic transition relation working on sets of valu- 
ations. These definitions will allow us to concentrate on symbolic runs instead 
of concrete runs as in the previous section. 

We first define a transition relation =>• over nodes of the form (g, W) where 
W is a set of valuations. 

Definition 2 (Symbolic transition =>). Let A be a timed automaton. For 
every transition t of A and every set of valuations W , we have a transition 
defined as follows: 

(q,W) =>* (q',W) where W' = {v' \ 3v £ W, 36 £ R> . (q,v) (q',v')} 
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We will sometimes write Postj(W) for W. The transition relation =>■ is the 
union of all =>•*. 

The transition relation denned above considers each valuation v £ W that 
can take the transition t, obtains the valuation after the transition and then 
collects the time-successors from this obtained valuation. Therefore the sym- 
bolic transition always yields sets closed under time-successors. The initial 
configuration of the automaton is (go,0). Starting from the initial valuation 
the set of valuations reachable by a time elapse at the initial state are given by 
{0 + 5 | S € M>o}- Call this Wo- From (q , Wo) as the initial node, computing 
the symbolic transition relation leads to different nodes (q, W) wherein the 
sets W are closed under time-successors. 

It has been noticed in [BY04a| that the sets W obtained in the nodes (q, W) 
can be described by some simple constraints involving only the difference between 
clocks. This has motivated the definition of zones, which are sets of valuations 
defined by difference constraints. 

Definition 3 (Zones |B Y04aj ) . A zone is a set of valuations defined by a 
conjunction of two kinds of clock constraints: x ~ c and x — y ~ c for x,y G X , 
~€ {<, <, =, >, >}, and c E Z. 

For example (x > A A y — x < l)isa zone. It can be shown that starting 
from a node (q, W) with W being a zone, the transition (q, W) => (q', W') leads 
to a node in which W' is again a zone [BY04a . Observe that the initial set of 
valuations Z = {0 + S | S € M>o} is indeed a zone: it is given by the constraints 
A x<yex (x > A x - y = 0) 

These observations lead to a notion of symbolic run that is a sequence of 
symbolic transitions 

(qo, Zo) => (qi,Zi) => .. . 

Proposition 1. Fix a timed automaton. The automaton has an accepting run if 
and only if there it has a symbolic run reaching an accepting state and non-empty 
zone. 

This proposition does not yet give a complete solution to the reachability prob- 
lem since there may be infinitely many reachable zones, so it is not immediate 
how to algorithmically check that a symbolic run does not exist. A standard solu- 
tion to this problem of non-termination is to use abstractions that we introduce 
in the next subsection. 

2.3 Bounds and abstractions 

In the previous subsection, we have defined zones. We have used zones instead 
of valuations to solve the reachability problem. Since the number of reachable 
zones can be infinite, the next step is to group zones together into a finite 



6 



F. Herbreteau, B. Srivathsan, and I. Walukiewicz 



number of equivalence classes. An abstraction operator is a convenient way to 
express a grouping of valuations, and in consequence grouping of zones. Instead 
of discussing abstractions in full generality, we will immediately proceed to the 
most relevant case of abstractions based on time-abstract simulation TA KB96| . 
For this subsection we fix a timed automaton A. 

Definition 4 (Time-abstract simulation). A (state based) time-abstract 
simulation between configurations of A is a relation (q,v) dit.a. such that: 

- q = q' ', 

— if (q,v) — > s (q,v + 8) — >* (qi,vi), then there exists a 8' £ K>o such that 
(q,v') -^ s ' (q,v' + 5') ->•' (qi,v[) satisfying (qi,vi) < t .a. for the 
same transition t. 

For two valuations v, v' , we say that v dit.a. V 1 if for every state q of the au- 
tomaton, we have (g, v) < t .a. (q' , v'). An abstraction o^ t a based on a simulation 
dit.a. can be defined as follows: 

Definition 5 (Abstraction based on simulation). Given a set W, we de- 
fine o^ t a (W) — {v | 3v' £ W. v dit.a. v'}- The abstract transition relation is 
(q,W)=* a -< a {q" ',<h<t.AW)) where W = CU< t . .(W) and (q,W) ^ (q', W) (cf. 
Definition^. 

Let =>* a ^ denote the reflexive and transitive closure of => a ^ t ■ Similarly, 
let — >* denote the reflexive and transitive closure of the transition relation — > 
of the automaton. It can be easily verified that the abstract transition relation 
satisfies the following two important properties (Wo denotes {0 + 8 \ 8 £ K>o}) 

Soundness: if (q , W ) ^* a ^ t (q, W) then there is v £ W such that (q , 0) 

(q,v). 

Completeness: if (<7q,0) — >* (q,v) then there is W such that v £ W and 
(q ,W )^ ta (q,W). 

These properties immediately imply that abstract transitions can be used to 
solve the reachability problem. 

Proposition 2. For every abstraction operator 0-< t based on timed-abstract 
simulation. Automaton A has a run reaching a state q iff there is an abstract 
run 

(q°,W )^ ta {quW x )^ a ^ ta ...^cM ta (q,W) 
for some W ^ 0. 

Remark i. If a and b are two abstractions such that for every set of valuations 
W we have a(W) C b(W) then we prefer to use b since every abstract run with 
respect to o is also a run with respect to b. In consequence, it is easier to find 
an abstract run for b abstraction. 
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Therefore, the aim is to come up with a finite abstraction as coarse as pos- 
sible, that still maintains the soundness property. 

For a given automaton it can be computed if two configurations are in a 
simulation relation. It should be noted though that computing the coarsest sim- 
ulation relation is ExPTiME-hard LSOOJ. Since the reachability problem can be 
solved in Pspace, this suggests that it may not be reasonable to try to solve it 
using the abstraction based on the coarsest simulation. We can get simulation 
relations that are computationally easier if we consider only a part of the struc- 
ture of the automaton. The common way is to look at constants appearing in 
the guards of the automaton and consider them as parameters for abstraction. 

2.4 LU-bounds and LU-abstractions 

The most common parameter taken for defining abstractions are LJ7-bounds. 

Definition 6 (LU-bounds). The L bound for an automaton A is the function 
assigning to every clock x a maximal constant that appears in a lower bound 
guard for x in A, that is, maximum over guards of the form x > c or x > 
c. Similarly U is the function assigning to every clock x a maximal constant 
appearing in an upper bound guard for x in A, that is, maximum over guards of 
the form x < c or x < c. 

The paper introducing LU-bounds BBLP06 also introduced an abstraction 
operator a^ LU that uses LU-bounds as parameters. We begin by recalling the 
definition of an LU-preorder defined in [BBLP06 . We use a different but equiv- 
alent formulation. 

Definition 7 (LU-preorder |BBLP06] L Let L, U : X ->• N U {-oo} be two 
bound functions. For a pair of valuations we set v =4 LU v' if for every clock x: 

— ifv'(x) < v(x) then v'(x) > L x , and 

— ifv'(x) > v(x) then v(x) > U x . 

It has been shown in |BBLP06j that =4 LU is a time-abstract simulation 
relation. The a^ LU abstraction is based on this LU-preorder =4 LU . 

Definition 8 (o^ i!7 -abstraction [BBLP06J). Given L and U bound func- 
tions, for a set of valuations W we define: 

a 4LU (W) = {v | 3v' eW.v 4 LU «'}■ 

Figure [l] gives an example of a zone Z and its abstraction a^ LU (Z). It can 
be seen that a^ LU (Z) is not a convex set. 

An efficient algorithm to use the a^ LU abstraction for reachability was pro- 
posed in [HSW12 . Moreover in op cit. it was shown that over time-elapsed 
zones, a^ LU abstraction is optimal when the only information about the ana- 
lyzed automaton are its LL^-bounds. Informally speaking, for a fixed LU, the 
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Z:\J 
a^ LU {Z) : p| U 



Fig. 1. Zone Z is given by the grey area. Abstraction a^ L u(Z) is given by the grey 
area along with the dotted area 



a^ LU abstraction is the biggest abstraction that is sound and complete for all 
automata using guards within L[/-bounds. 

Since the abstraction a^ LU is optimal, the next improvement is to try to get 
as good I/[/-bounds as possible since tighter bounds give coarser abstractions. 
Recall Remark [T] which states the importance of having coarser abstractions. 

It has been proposed in [BBFL03| that instead of considering one L£/-bound 
for all states in an automaton, one can use different bound functions for each 
state. For every state q and every clock x, constants L x (q) and U x (q) are deter- 
mined by the least solution of the following set of inequalities. For each transition 
(<7, g, R, q') in the automaton, we have: 

L x (q) > c if x > c is a constraint in g 

L x (q)>L x {q') iix^R (1) 

Similar inequalities are written for [/, now considering x < c. It has been shown 
in BBFL03 that such an assignment of constants is sound and complete for state 
reachability. Experimental results have shown that this method, that performs 
a static analysis on the structure of the automaton, often gives very big gains. 



3 Adaptive simulation graph 

In this paper we improve on the idea of static analysis that computes -L[/-bounds 
for each state q. We will compute ££/-bounds on-the-fiy while searching for an 
abstract run. The immediate gain will be that bounds will depend not only on 
a state but also on a set of valuations. The real freedom given by an adaptive 
simulation graph and Theorem [T] presented below is that they will allow to ignore 
some guards of transitions when calculating the LU bounds. As we will see in 
experimental section, this can result in very big performance gains. 
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We will construct forward reachability testing algorithm that will search for 
an abstract run with respect to a^ LU abstraction, where LU bounds will change 
dynamically during exploration. The intuition of a search space of such an al- 
gorithm is formalized in a notion of adaptive simulation graph (ASG). Such a 
graph permits to change LU bounds from node to node, provided some consis- 
tency conditions are satisfied. iC/-bounds play an important role in this graph. 
They are used to stop developing successors of a node as soon as possible. So 
our goal will be to find as small L[/-bounds as possible in order to cut the paths 
of the graph as soon as possible. 

Definition 9 (Adaptive simulation graph (ASG)). Fix an automaton A. 
An ASG graph has nodes of the form (q, Z, LU) where q is the state of A, Z is 
a zone, and LU are bound functions. Some nodes are declared to be tentative. 
The graph is required to satisfy three conditions: 

Gl For the initial state q° and initial zone Zq, a node (go, Zq, LU) should appear 

in the graph for some LU . 
G2 // a node (q, Z, LU) is not tentative then for every transition (q, Z) => f 

(g', Z') the node should have a successor labeled (q' , Z' , L'U') for some L'U' . 
G3 // a node (q, Z, LU) is tentative then there should be non-tentative node 

(q',Z',L'U') such that q = q' and Z C a^^u'(Z'). Node (q^Z^L'U 1 ) is 

called covering node. 

We will also require that the following invariants are satisfied: 

11 If a transition => t is disabled from (q,Z), and (q,Z,LU) is a node of the 
ASG then =>( should be disabled from a^ L u 

(Z) too; 

12 For every edge (q,Z,LU) =>t (?', Z' , L'U 1 ) the ASG we have: 

Post t (a 4LU {Z)) C a^ L > V '{Z f ). 

13 For every tentative node (q, Z\, LyU\) and the corresponding covering node 
(q,Z 2 ,L 2 U2), we have: 

L 2 U 2 < L\U\. 

The conditions Gl, G2, G3 express the expected requirements for a graph to 
cover all reachable configurations. In particular, the condition G3 allows to stop 
exploration if there is already a "better" node in the graph. The three invariants 
are more subtle. They imply that L[/-bounds should be big enough for the 
reachability information to be preserved, (cf. Theorem [lj. 

Remark: While the idea is to work with nodes of the form (q, W) with 
W — a ^.Lu(W), we do not want to store W directly, as we have no efficient 
way of representing and manipulating such sets. Instead we represent each W as 
a^ LU (Z). So we store Z and LU. This choice is algorithmically cheap since testing 
the inclusion Z' C a^ LU {Z) is practically as easy as testing Z' C Z |HSW12| . 
This approach has another big advantage: when we change LU bound in a node, 
we do not need to recalculate a^ LU {Z). 
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Remark: It is important to observe that for every A there exists a finite 
ASG. For example, it is sufficient to take static LU-bonnds as described in ([lj. 
It means that we can take ASG whose nodes are (q, Z,L(q)U(q)) with bound 
functions given by static analysis. It is easy to see that such a choice makes all 
three invariants hold. 

The next theorem tells us that any ASG is good enough to determine the ex- 
istence of an accepting run. Our objective in the later section will be to construct 
as small ASG as possible. 

Theorem 1. Let G be an ASG for an automaton A. An accepting state is reach- 
able by a run of A iff a node containing an accepting state of A and a non-empty 
zone is reachable from the initial node of G. 

Recall from Proposition [2] that there is an accepting run of A iff there is a 
sequence of symbolic transitions 

{q ,Z )=>( 9l ,Z 1 )=>...=>(q,Z) (2) 

with q £ Acc and Z ^ 0. 

For the right-to-left direction of the theorem we take a path in G leading 
from (q Q , Z 0l LqUq) to (q, Z, LU). By definition, removing the third component 
gives us a path as in 

The opposite direction is proved with the help of the following lemma. 

Lemma 1. Let (q, Z) be as in ([2]). There exists a non tentative node (q, Zi, L\\J\) 
in G such that Z C a^ LlUl (Z\). 

Proof. The lemma is vacuously true for (qo, Zq). Assume that the hypothesis is 
true for a path as in We prove that the lemma is true for every symbolic 
successor of (q 7 Z). 

Let (q, Z) (q' , Z') be a symbolic transition of A. The transition =>' should 
be enabled from (q,Zi). This is because if it was disabled, by Invariant 1, we 
would have that it is disabled from a^ LlUl iZ\) and from the hypothesis, it should 
be disabled from (q, Z) too leading to a contradiction. 

So we have a transition (q, Zi,LiUi) =>' (q' , Z[, L[U[) in G. From Invariant 
2, we have Post(a^ Ll[/l (Zij) C a^L'.ui (Z[). This leads to the following sequence 
of implications. 

Z C a^ LlUl (Z\) induction hypothesis 

=> Post(Z) C Post(a^ LlC7l (Z 1 )) 

=> Post(Z) C a^ L ' lV '{Z'i) by Invariant 2 

=> Z' C a^u'iZi) 

If (<f ', Z[ 1 L' 1 U' 1 ) is a non-tentative node, then we are done. Suppose it is a ten- 
tative node, then we know that there exists a non-tentative node (q', Z' 2 , Ll^U'^) 
such that Z( C a^^/ {Z' 2 ). From Invariant 3, we also know that L' 2 U' 2 < L[U[. 
This shows that Z' C a^u^Z^). 

Hence the node corresponding to (q' , Z') is (q' , Z 2 , L' 2 U 2 ). □ 
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4 Algorithm 

Our aim is to construct a small adaptive simulation graph for a given timed 
automaton. For this the algorithm will try to keep LU bounds as small as possible 
but still satisfy the invariants II, 12, 13. The bounds are calculated dynamically 
while constructing an adaptive simulation graph. For example, the invariant 
II requires LU in a node to be sufficiently big so that the transition remains 
disabled. Invariant 12 tells that LU bound in a node should depend on LU 
bounds in the successors of the node. 

Proviso: For simplicity of the algorithm presented in this section we assume 
a special form of transitions of timed automata. A transition can have either 
only upper bound guards, or only lower bound guards and no resets. Observe 
that a transition qx ^~-> q 2 is equivalent to qi q[ 9u ' R > q 2 - j where is the 
conjunction of the lower bound guards from g and gu is the conjunction of the 
upper bound guards from g. 

Lemma 2. Suppose W\ is a time elapsed set of valuations. If 

(qi, Wx) ^ 9 -,R (q2,W 2 ) and ( gi , W x ) ^ 9L (q[,W[) => goiR {q 2 ,W' 2 ) 
then W 2 = W' 2 . 

Proof. We consider only, more complicated, inclusion W 2 C W 2 . Take v' 2 £ W 2 . 
By definition we know that there is v\ £ Wx such that 

(q uVl ) ^ (q[,vx + 5x) ^ (q 2 , (v, + 6x)[R] + 5 2 ) 
and v 2 — («i + <5i)[i?] + 82- We get then 

^ (q^vx+Sx) ^ (q2,(vx+Sx)[R} + S 2 ) 

So (qx,vx + fix) ^— > (92, (vi + Sx)[R] + S 2 ). As Wx is time elapsed, v\ + 6x £ Wx- 
This shows v 2 £ W 2 , by definition of W 2 . □ 

So in order to satisfy our proviso we may need to double the number of states 
of an automaton. 

Algorithm |1.1| presented below, computes a tree whose nodes v have four 
components: v.q is a state of A, v.Z is a zone, and v.L, v.U are LU bound func- 
tions. Each node v has a successor v t for every transition t of A from (v.q, v.Z) 
resulting in a non-empty zone. Some nodes will be marked tentative and not 
explored further. After an exploration phase, tentative nodes will be reexamined 
and some of them will be put on the stack for further exploration. At every 
point the leaves of the tree constructed by the algorithm will be of three kinds: 
tentative nodes, nodes on the stack, nodes having no transition needed to be 
explored. 

Our algorithm starts from the root node v root labeled with go and Zq: the 
initial state of A, and the initial zone. We do not set the LU bounds for v root 
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Algorithm 1.1. Reachability algorithm with on-the-fly bound computation and a^Lu 
abstraction. 



function main ( ) : 
let 

Vroot 

be the root node with v root .q = qo and Vroot — ^0 
add v root to the stack 
while (stack 7^ 0) do 

remove v from the stack 

explore (v) 

resolve () 
return "empty" 

procedure explore (v ) : 

if (v.q is accepting) 

exit "not empty" 
if (3 v" nontentative s.t. v.q = v".q and v.Z C a^„" LU (v".Z) ) 

mark v tentative wrt v" 

v.LU := v".LU 

(Xl,Xu):= active clocks in v.LU 
propagate (v ,X L ,X V ) 

else 

v.LU := disabled (v.q ,v.Z) 

(Xl, Xu)'-= active clocks in v.LU 

propagate (v ,Xl ,Xu) 

for each (q',Z') s.t. (v.q, v.Z) => (q' , Z') and Z' ^ do 

create v' the successor of v with v'.q = q' and v' ' .Z — Z' 
explore («' ) 

function disabled (q ,Z) 

examine transitions from q that are disabled from Z and 
choose LU so that invariant II is satisfied 
return(i(7) ; 

procedure resolve (): 

for each v tentative w. r . t . v' do 
if v.Z g a 4v ,. LU (v'.Z) 

mark v nontentative 

set v.L and v.U to —00 // clear the bounds in v 
add v to stack 

procedure propagate (v' ,X' L ,X' V ) : 
u=parent (v 1 ) ; 

LU := newbounds(w ,v' ,X' L ,X'u) 
if (LU^v.LU) 

for each vt tentative wrt v do 

(Xl,Xu) clocks modified in LU wrt v t .LU . 
v t .LU := LU; 
propagate (v t ,X* L ,X^) 
if (v / Vroot) then 

(X L ,X V ) clocks modified in LU wrt v.LU 
propagate (v ,X L ,X V ) 

function newbounds (v , v' , X' L ,X' V ) 
given a transition v -¥ v' , find new LU bounds for v knowing 
that LU bounds for v' have changed , and 
X' L are the clocks whose L bound has changed , 
X'u are the clocks whose U bound has changed 
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as this will be done by explore procedure. The main loop repeatedly alternates 
an exploration and a resolution phases until there are no nodes to be explored. 
The exploration phase constructs a part of ASG from a given node stopping at 
nodes that it considers tentative. During exploration LU bounds of some nodes 
may be changed in order to preserve invariants 12 and 13. The resolution phase 
examines tentative nodes and adds them to the stack for exploration if condition 
G3 of the definition of ASG is no longer satisfied. 

At the call of the procedure explore(w), node v is supposed to have its state 
v.q and zone v.Z set but the value of v.LU is irrelevant. The zone v.Z is supposed 
to be not empty. We assume that the constructed tree satisfies the invariants II, 
12, 13, but for the node v and the nodes on the stack. The goal of the explore 
procedure is to restore the invariant for v and start exploration of successors of 
v if needed. 

First, the procedure checks if v.q is an accepting state. If so then we know that 
this state is reachable since we assume that v.Z is not empty. When v.q is not 
accepting we consider two cases. If there exists a non — tentative node v" in the 
current tree such that v.q = v" .q and v.Z C a^ v n _ LU (v" .Z)) then v is a tentative 
node. The L/7-bounds from v" are copied to v, and propagated so that invariant 
12 is restored. This is the task of propagate procedure that we describe below. 
If v is not covered then it should be explored. First, we compute its LU bound 
based on transitions that are disabled from v. The task of function disabled 
is to calculate the LU bounds so that the invariant II holds. (The function is 
described in more detail in the next section.) Then we propagate these bounds 
in order to restore the invariant 12. Finally, we explore from every successor of 
v. 

When LU bounds in a node v' are changed the invariant 12 should be re- 
stored. For this the bounds are propagated by invoking propagate procedure. 
For efficiency, the procedure is also given the set of clocks X' L whose L bound has 
changed, and the set X' v of clocks whose U bound has changed. The parent v of 
v' is taken and the transition from v to v' is examined. The function newbounds 
calculates new LU bounds for a node given the changes in its successor. This 
function is the core of our algorithm and is the subject of the next section. Here 
it is enough to assume that the new bounds are such that the invariant 12 is 
satisfied. If the bounds of v indeed change then they should be copied to all 
nodes tentative with respect to v. This is necessary to satisfy the invariant 13. 
Finally, the bounds are propagated to the predecessor of v to restore invariant 
12. 

The exploration phase terminates as in the explore procedure the bound 
functions in each node never decrease and are bounded. They are bounded be- 
cause newbounds function never gives bounds bigger than those obtained by 
static analysis (cf. Equation ([!])) 

After exploration phase LU bounds of tentative nodes may change. The 
procedure resolve is called to check for the consistency of tentative nodes. If 
v is tentative w.r.t. v' but v.Z % a^ v >. LU (v'.Z) is not true anymore, v needs to 
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be explored. Hence it is viewed as a new node, and put on the stack for further 
consideration in the function main. 

The algorithm terminates when either it finds and accepting state, or there 
are no nodes to be explored and all tentative nodes remain tentative. In the 
second case we can conclude that the constructed tree represents an ASG, and 
hence no accepting state is reachable. Note that the overall algorithm should 
terminate as the bounds can only increase and bounds in a node (q, Z) are not 



bigger than the bounds obtained for q by static analysis (cf. Remark on page 10 ). 

From the above discussion it follows that the algorithm returns "empty" 
only when it constructs a complete ASG. The correctness of the algorithm then 
follows from Theorem [TJ 

Proposition 3. The algorithm always terminates. If for a given A the result 
is "not empty" then A has an accepting run. Otherwise the algorithm returns 
empty after constructing ASG for A and not seeing an accepting state. 



5 Controlling 2v£/-bounds 

The notion of adaptive simulation graph (Definition [9]) gives necessary condi- 
tions for the values of LU bounds in every node. The invariant II tells that LU 
bounds in a node should take into account the the edges disabled from the node. 
The invariant 12 gives a lower bound on LU with respect to the L£/-bounds in 
successors of the node. Finally, 13 tells us that LU bounds in a covered node 
should be not smaller than in the covering node. The algorithm from the last 
section implements a construction of ASG with updates of the bounds when the 
required by the invariant. 

The three invariants sometimes allow for much smaller Lt/-bounds than that 
obtained by static analysis. A very simple example is when the algorithm does 
not encounter a node with a disabled edge. In this case all L?7-bounds are simply 
— oo, since no bound is increased due to II, and such bounds are not changed 
by propagation. When LU bounds are — oo, a^ LU abstraction of a zone results 
in the set of all valuations. So in this case ASG can be just a subgraph of the 
automaton. A more interesting examples of important gains are discussed in the 
next section. 

In this section we describe two central functions of the proposed algorithm: 



disabled and newbounds. The pseudo-code is presented in Algorithm 1.2 

The disabled function is quite simple. Its task is to restore the invariant II. 
For this it chooses from every disabled transition an atomic guard that makes 
it disabled. Recall that we have assumed that every guard contains either only 
lower bound constraints or only upper bound constraints. A transition with 
only lower bound constraints cannot be disabled. Hence a guard on a disabled 
transition must be a conjunction of upper bound constraints. It can be shown 
that if such a guard is not satisfied in a zone then there is one atomic constraint 
that is not satisfied in a zone. Now it suffices to observe that if a guard x < d 
or x < d is not satisfied in Z then it is not satisfied in a^ LU (Z) when U(x) = d. 
This follows directly from the definition of LU-simulation (Definition [7| . 
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For the rest of this section we focus on the description of the function 
newbounds (v, v' , X' L , X[j). This function calculates new L£/-bounds for v, given 
that the bounds in v' have changed. As an additional information we use the 
sets of clocks X' L and X' v that have changed their L-bound, and l^-bound re- 
spectively, in v' . This information makes the function newbounds more efficient 
since the new bounds depend only on the clocks in X' L and X[j. The aim is to 
give bounds that are as small as possible and at the same time satisfy invariant 
12 from Definition [H 

Recall that we have assumed that every transition has either only upper 
bound guards, or only lower bound guards and no resets (cf. page 11). This 
assumption will simplify the newbounds function. We will first consider the case 
of transitions with just an atomic guard or with just a reset. Next we will put 
what we have learned together to treat the general case. 



5.1 Reset 



Consider a transition (q, Z) (q' , Z') for the set of clocks R being reset. So 

we have Z' = Z[R := 0\, i.e., we reset the clocks in R and let the time elapse. 
Suppose that we have updated L'U' and now we want our newbounds function 
to compute L new U new . We let L new U new be the maximum of LU and L'U' but 
for L new (x) — U new (x) = — oo for x 6 R. We want to show that invariant 12 
holds that is: 

^ne W u new (Z)[R := 0] C a 4L/u ,(Z[R := 0]). 

To prove this inclusion, take a valuation v G &^L new u new (Z) ■ By definition there 
is a valuation v' € Z with v =4 Lneu ,u n< , w v' . We obtain that v[R :— 0] =4 L ' Cr ' 
v'[R := 0] using directly Definition [7] Indeed, for every clock in i?, its values in 
the two valuations are the same. For other clocks the required implications hold 
since v =4L nsm u ncm v ' an< i moreover the bounds L new U new and L'U' are the same 
for these clocks. 



5.2 An abstract formula for atomic guard case 



Consider a transition (q, Z, LU) => 9 (q' , Z' , L'U'). Suppose that we have updated 
L'U' and now we want our newbounds function to compute L new U new . In the 
standard constant propagation algorithm, we would have set L new U new to be the 
maximum over LU, L'U' and the constant present in the guard. This is sufficient 
to maintain Invariant 2. However, it is not necessary to always take the guard g 
into consideration for the propagation. 

Let LgUg be the bound function induced by the guard g. In our case where 
there is only one constraint, there is only one constant associated to a single 
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clock by LgUg. Roughly, in order to maintain Invariant 2, it suffices to take 

max(LU, L'U') if LU > L g U g or 

if (gj c a^viZ') or 
if ZC a 4L ^{Z') 
max(L£7, L'U' , L g U g ) otherwise 

To see why the above should maintain Invariant 2, look at the transition with 
the new bounds: 

(q, Z, L new U new ) =» 9 {q',Z',L'U') 

Clearly from the above definition, L new ll new > L'U'. 

Additionally, if L new U new > L g U g , that is, if the constant in the guard is 
incorporated in L new U new , it is easy to show using definition of simulation that 
Post g {a^ LnewUne JZ)) C a 4L > u >(Z'). 

We now need to show the same for the cases when L new U new does not incor- 
porate the constant in the guard. From the definition of the Pre, this happens 
only if either g C a^ L ' V '(Z') or if Z C a^,t>u'(Z'). Let us look closely at what 
Postg(a^ LnewUnew (Z)) is. 

Post g (a 4LnewUnew (Z)) = a = j ln „ l ,„,(Z)ny 

If [<?] C a^ L 'a'(Z'), then a^i„ cro [/„ e „ (^) n [g] would be included in a^ L ' V '(Z'). 
As a^L'u' is closed under time-elapse, we will have Poat g {a^t nem u new {Z)) C 
O-^i'u'(Z'). Similarly if Z C a^w(Z'): we will have a^'^Z) C a^^u^Z') 
and as L new U new > L'U', we have a^ iri( , ra[/ii( , ro (Z) ^ (Z'). It follows that 

Post g (a 4LnBaUnew (Z)) C ^u'(Z'). " 




5.3 A concrete algorithm for atomic guard case 

Since bound propagation is called very often in the main algorithm, we need 
an efficient test for the inclusions in Formula ([3]). The formula requires us to 
test inclusion w.r.t. a^ LU between Z and Z' each time we want to do the Pre. 
Although this seems complicated at the first glance, note that Z' is a zone 
obtained by a successor computation from Z. When we have only a guard in the 
transition, we have Z' = Z A g. This makes the inclusion test lot more simpler. 
We will also see that it is not necessary to consider the inclusion [5] C a^'^' (Z'). 

Before proceeding, we need to look closer how zones are represented. One 
standard way to represent zones is using difference bound matrices (DBMs) [Dil89J 
We will consider an equivalent representation in terms of distance graphs. 

A distance graph has clocks as vertices, with an additional special clock Xq 
representing the constant 0. For readability, we will often write instead of xq. 
Between every two vertices there is an edge with a weight of the form (<,c) 

where c € Z and < is either < or <; or (<, c) equals (<, 00). An edge x y 
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Fig. 2. Distance graph for the zone (i-J>1Aj<2Ai>4). 



represents a constraint y — x<c: or in words, the distance from x to y is bounded 
by c. An example of a distance graph is depicted in Fig. [2j 

Let [G] be the set of valuations of clock variables satisfying all the constraints 
given by the edges of G with the restriction that the value of xq is 0. 

One can define an arithmetic and order over the weights (<, c) in an expected 
manner BY04bJ . We recall only the definition of order that is most relevant for 
us here 

Order (< 1; ci) < (<2,C2) if either c\ < c 2 or (c x = c 2 and <i =< and < 2 =<)• 

A distance graph is in canonical form if the weight of the edge from x to y is 
the lower bound of the weights of paths from x to y. For instance, the distance 
graph shown in Figure [2] is not in canonical form as the weight of the edge x — > y 
is (<, —1) whereas there is a path x — !> — > y whose weight is (<, —2). To convert 
it to canonical form, it is sufficient to change the weight of the edge x — > y to 
«,-2). 

For two distance graphs G\, G 2 which are not necessarily in canonical form, 
we denote by min(Gi,G2) the distance graph where each edge has the weight 
equal to the minimum of the corresponding weights in Gi and G 2 . Even though 
this graph may be not in canonical form, it should be clear that it represents 
intersection of the two arguments, that is, [min(Gi, G2)] = [Gi] H [G2]; in other 
words, the valuations satisfying the constraints given by min(Gi, G 2 ) are exactly 
those satisfying all the constraints from G\ as well as G 2 . 

A zone Z can be identified with the distance graph in the canonical form 
representing the constraints in Z. For two clocks x, y we write Z xy for the 
weight of the edge from x to y in this graph. A special case is when x or y is 0, 
so for example Zq v denotes the weight of the edge from to y. 

We recall a theorem from HSW12J that permits to handle Z C a^ i ' !7 '(Z') 
test efficiently. 

Theorem 2. Let Z, Z' be two non-empty zones. Then Z $2 a^ L 'ui(Z') iff there 
exist two clocks x, y such that: 

Zxo > (<, -U' x ) and Z' xy < Z xy and Z' xy + (<, -L' y ) < Z x0 (4) 

We are ready to proceed with our analysis. We distinguish two cases depending 
on whether the guard g is of the form w > d or w < d. 
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Lower bound guard: When we have a lower bound guard, the diagonals do not 
change during intersection and time-elapse. Hence we have Z' xy = Z xy when 
both x and y are non-zero variables. This shows that Q cannot be true when 
both x and y are non-zero as the second condition is false. Yet again, when x is 
0, the second condition cannot be true as both Zq v = Z' 0y = (<, oo). It remains 
us to consider the single case when y is 0. It boils down to checking if there exists 
a clock x such that: 

Z x0 > (<, -U' x ) and Z' x0 < Z x0 (5) 

In words the above test asks if there exists a clock x whose x > edge in Z 

has reduced in Z' and additionally the edge weight (<, — c) in Z satisfies either 
c < U' x or (<,c) = (<,U' X ). If such a clock exists, the definition of Pre in ([3| 
suggests that we need to check if [#] C a^ L >u>(Z'). 

Let us look at the distance graph of [gj. It has an edge w < ~ d > and edges 

x ^> for all other clocks x. All other edges are oo. We now apply the inclusion 
test Q between this distance graph and Z'. Note that is Q is true, then there is 
a clock that has Z' x0 < Z x0 . But as Z x0 < (<, 0), we will have Z' x0 < (<, 0) which 
implies that Z' x0 < lg] x0 - This shows that if the inclusion between zones does 
not hold, then the inclusion of the guard g in Z' also does not hold. Therefore 
testing ([5]) is sufficient. This gives us the following formula with the additional 
observation that Z' x0 can be only lesser than or equal to Z x0 . 



{max(LC/, L'U', L g U g ) if L(w) < d and 
3a;. (Z x0 > (<, -U' x )) A ((Z' x0 < Z x0 )) 
max(L£/, L'U') otherwise 

(6) 

Also note that this can be easily extended to an incremental procedure: 
whenever we add an extra clock to U' , then we need to check only this clock. 
The above definition also suggests that whenever only L' is modified we don't 
have to check anything and just propagate the new values of L' . 



Upper bound guard: When we have an upper bound guard, the diagonals might 
change. However no edge — > x or x — > changes. Therefore we need to check 
Q for two non-zero variables x and y. 

In other words, among clocks x that have a finite U' constant and clocks 
y that have a finite L' constant, we check if there is a diagonal x — > y that 
has strictly reduced in Z' and additionally satisfies Z' + (<,L y ) < Z x0 . Note 
that this also entails [<?] % a^ L t v i(Z'). This is because when g is w < d, we 
have \g\ xy — (<,oo) and \g\ xa = (<,0) and hence |4| becomes true when Z is 
substituted with \g\ . Therefore it is sufficient to check Q for non zero variables 
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x and y. This gives the following formula function: 

max(LU, L'U 1 , L g Ug) if U(w) < d and 3a;, y. such that 

Z x0 > (<, -E£) and (Z^ < Z xy ) and 

(z^ + (<,-£;) <z x0 ) 

max(LU, L'U') otherwise 

(7) 

This test can also be done incrementally. Each time we propagate, we need 
to perform extra checks only when a new clock has got a finite value for either 
L' or U'. 

Upper bound and reset. Here we consider the case when we have guard and reset 
at the same time. So we consider transition Z =$-r w <d),R Z'. We will combine 
the cases above since we will treat this transition as 

Z =H := o Z 1 ^> w< d Z 2 Z 3 =H<o Z A 

Suppose we have L'U' = L A U A that we want to propagate it back to Z. Since b 
is a clock introduced for technical reasons we can assume that £ 4 (6) = U A (b) = 
— oo. We need to calculate the values of changed edges in all the zones 

— In Z 1 we get Zl — 0, and Z\ h — Z x $, and Z\ x = oo. 

— In Z 2 we get Z 2 y — Z x0 + d + Z wy (if this edge changes). 

— In Z 3 every edge stays the same but for the clocks that are reset. We have 
Z 3 — 0, Z 3 V — Z x q, and Z 3 X = co for v e R and x £ R. 

— In Z A we get Z 4 y = Z x0 + Z 2 y if this edge changes. 

• Suppose x R. From the second item we know that Z 2 y = (d + Z wy ). 
So Z xy = Z x o + d + Z wy = Z 2 y . This means that no edge changes from 

u, Z'. 

• Suppose x € R then Z xy = Z 3 y = Z% = d + Z wy . Since Z 3 y — co this 
edge necessarily changes. 

Because of the last item we see that we always take the guard x < b into U. So 
L 3 U 3 = L^U^Ub = 0]. Now L 2 U 2 = L 3 U 3 [R = -co]. In order to get L X U X we 
apply the formula ([7| using the knowledge what is the relation between L'U' 
and L 2 U 2 : 

if U (w) < d and 3x, y £ R. such that 
Zlo > (<, -U 3 ) and (Z 2 y < Z\ y ) and 

{Zl y + {<-L' v )<Zl ) 
By R. such that 

(d+Z wy + (<,-L' y ) <0) 
otherwise 

(8) 




max(L?7, L'U', L g U g ) 



m&x(LU,L'U',L g U g ) 



max(LU,L'U') 
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The second formula is the specialization of the first for the case of x = b. So we 
see that we almost always take the w < d guard. Observe that the first condition 
implies the second since Z xy = Z\ x + d + Z wy . So if Z xy + (<, — V ) < Z x0 then 
z L + d + Z wy + (< -L' ) < ZIq which is equivalent to d + Z wy + (< -L' y ) < 
Z xQ — Z\ x . But Z x0 — Zq x < since the zone is not empty. 



5.4 Implementation of the newbounds function 

We consider a transition of the form 

(q,Z,LU) 4 (q',Z',L'U') 

We suppose that newbounds function examines this transition. The bounds L'U' 
have been updated and now we determine how to update the bounds LU. Let 
X' L be the set of clocks for which L' bound has been updated. Similarly X[j for 
U' bounds. 

We will define the new bounds for (q,Z). So the node (q,Z,LU) will be 
changed to (q, Z, L new U new ). Observe that the bounds can only increase. 

We have four cases depending on the type of the guard. The pseudocode is 
presented in Algorithm |1. 2 1 

Lower bound guard We consider a transition for the form (q, Z, LU) — ^ 
(q' , Z' , L'U') with gi = Ai=i. > ck. First, we set L new U new to the maximum 
of LU and L'U'; notice that by the defintion of X' L and X' v we need to calculate 
maximum only for the clocks in these two sets. Then we establish the set of 
edges E of the zone Z' that have changed, and that are relevant for the test Q. 
The final loop decides which constraints should be taken to increase L bound. 
We take di when it indeed determines some relevant edge from E. If we take di 
then we update L new , and remove from E all edges that are set by di. This is 
because there may be another constraint that influences the same change in Z' 
and there is no point of taking it. 

For the correctness proof let g\ be the set of constraints that have been taken 
and g\ the constraints that have been omited. The transition (q, Z, L new U new ) => gi 
(q',Z',L'U') can be decomposed into (q, Z, L new U new ) => g i (q' , Z 1 , L'U') ^ g 2 L 
(q' , Z',L'U'). From the algorithm we know that all the edges from E as in line 
18 are the same in Z 1 and Z' . Hence by formula ^ we get Post ff 2 (ft^x/u' (Z 1 )) C 
&4l'u' {Z')- Since all the guards from g\ are taken we get Post g i (&=$ Lnew u„ ew (Z)) Q 
a^'u'iZ 1 ). 

Upper bound guard We consider a transition of the form (q, Z, LU) -^s- 



(q' , Z', L'U') with gi = Ai—i,,.kWi < e^. Let us explain Algorithm 1.2 in this case. 
As in the previous case we set L new U new to the maximum of LU and L'U' . Next 
we calculate the set of edges E that can influence taking a guard. The final for 
loop considers a constraint one by one. When the constraint implies an edge in 
E we take the constraing and remove all the edges implied by it. 

The correctness proof is very similar to the previous case. Let g\j be the 
set of constarints that have been taken and gfj the constraints that have been 
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function disabled (q ,Z) 
L'.=L—&o ; U : = U—oo ; 

for every transition t from q disabled from (q, Z) do 
choose an atomic guard x < d from the guard of t 
e such that Z \f x < d // guard of t has only upper bound guard;; 

7 U(x): — max(d, U(x)) 

return (L,U) 



function newbounds (v ,v ,X' L ,X' V ) 
for every clock x do 

if x £ X' L then L new (x):=max(L(x), L'(x)) else L new (x): = L(x) ; 
if x G X^r then I7 nell , (a;) : = max((7(a;), I7'(a;)) else L r nem (a;): = L''(a;) ; 

if transtion v — > v' is a lower bound guard /\ i=1 k Vi>di 
is £: = {(z, 0) : a- G X£, and Z x0 >(<,-U' x ) and < Z x0 } 

19 while B/No 

20 choose di such that there is {x,0) £ E with — dk + Z XVi = Z' x0 ; 
L new (vi) : =max(di , L new («»)); 
£:=£\{(x,0) zdi + Z^i =Z' x0 } 

else if transtion « — >• v' is an upper bound guard /\ i=1 fe to^ < 

25 E: = {{x,y) : x £ X' v and 1/ G X^, and 

26 ZzO > (<, -U' x ) and Zi H < Z xy and Z£„ + (<, -L y ) < Z x0 } ; 
while fi/No 

choose e, such that there is (x,y) € E with ei + Z Wiy + Z x o = Z' xy 
Unew(wi):—ma,x(ei, U new (wi)) ; 
£:=£\{(:e,2/) : e; + Z WiV + Z x0 = Z' xy ) 



else if transtion v — > v' is a reset R 
for x £ R do 

I/ ne »(a;)=L(a:) ; U new (x) : = U(x) ; 

else if transition w — > v' is an upper bound guard /\ i=1 k Wi < ei and 

a reset i? 

Fix some r £ R; 

E: = {(r, y) ■ y £ X' L \ R and < (<, L' y )} ; 
while B/No 

choose ei such that there is (r,y) £ E with a + Z wy = Z' ry 

Unew(wi):—max(ei, U new (wi)) I 

£:=£\{(r,j/) : e; + Z^,, = Z' ry } ; 

return (L new ,U new ) I 
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omited. The transition (g, Z, L new U new ) ^ gu (q' , Z' , L'U') can be decomposed 
into (q, Z, L new U new ) =$> g i (g', Z 1 , L'U') => 5 2 f (q' , Z' , L'U'). From the algorithm 
we know that all the edges from E as in line 25 are the same in Z 1 and Z' . 
Hence by formula ^ we get Post 9 | (ct^v (Z 1 )) C a^ L > u i (Z'). Since all the 
guards from g\ are taken we get Postal (o-^ Lnew u nem (Z)) C a^i'^' (Z 1 ). 
Reset The case of reset follows directly from the formula in Section |5T 
Upped bound and reset This case follows directly from the formula (8|). 



6 Examples 

In this section we will analyze behavior of our algorithm on some examples in 
order to explain some of the sources of the gains reported in the next section. 



6.1 All edges enabled 

Consider the automaton Ai shown in Figure [3] In the same figure, the zone 
graph of A\ has been depicted. Note that the zone graph has no edges disabled 
and hence is isomorphic to the automaton. In such a case, observe that it is safe 
to abstract all the zones by the true zone. The set of reachable states of the 
automaton remain the same even after abstracting all zones to the true zones. 



r~\ x > 5 y>5 / \ w < 10 
— >( qo ] >( qi 1 >l <72 ) >( q-j J 

q : (x = y = w > )^ = fy q! : (x = y = w > 5) ) = = ^ (p : (x = y = w > 5) ~y = X ^jT (x = y = w > 5)) 

Fig. 3. Ai: all edges enabled in the zone graph 



Algorithm |1.1| is able to incorporate this phenomenon. Initially all the con- 
stants are — oo and hence the a^ LU abstraction of each zone would give the true 
zone. The algorithm starts propagating finite L[/-constants only when it en- 
counters a disabled edge during exploration. In particular, if there are no edges 
disabled, all the constants are kept — oo. We will now see an example where 
this property of the propagation yields exponential gain over the static analysis 
method and the on-the-fly constant propagation procedure. 

Consider the automaton T> n shown in Figure [4j This is slightly modified 
from the example given in |LNZ05j . We have changed all guards to check for an 
equality. It is a parallel composition of three components. Automaton T> n has 
2n clocks: X\,...,x n and g/i, . . . ,y n . The first two components respectively reset 
the x-clocks and y-clocks. The third component can be fired only after the first 
two have reached their a n states. The states of the product automaton V n are 
of the form (0^,0^,60) and (a„, a„, bj~) where i, j, k £ {0, . . . , n}. In all, there are 
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X\ '■— X2 '■— x n := O.Bi := true*-*. 

' • C*j) >• M > ■ ►(oj 



vi ■■= o 


► 




► 


Bi, B 2 , «i = 1 » 









Fig. 4. Automaton T>„ 



(n + l) 2 + n states in the product automaton. Let us assume that no state is 
accepting so that any algorithm that explores this automaton should explore the 
entire zone graph. 

Clearly, all the transitions can be fired if no time elapses in the states 
(ai,aj,&o) f° r i,j G 1, . . . ,n — 1 and exactly one time unit elapses in (a n ,a n ,bo). 
Therefore, the zone graph of T> n should have no edges disabled which implies 
that the L[/-constants given by Algorithm |l.l| in each node are — oo. The num- 
ber of uncovered nodes in the ASG obtained would be the same as the number 
of states. 



Static analysis: However, the static analysis procedure would give L = U = 1 
for every clock. We will now see that this would yield a zone graph with at least 
2™ nodes. 




L a = U x = 1 X L x = U x = 1 X 

GUC»*[;(2i) QU a^ LU (Z 2 ) 

Fig. 5. Zones indistinguishable by a^ L u 



Consider Figure [5] that shows two zones Z\ and Z 2 and their a^ LU abstrac- 
tions when L = U = 1 for both the clocks x and y. Zone Z\ is given by all 
valuations that satisfy x < y. Similarly zone Z 2 is given by all valuations that 
satisfy x > y. Observe that Z\ and Z 2 are incomparable with respect to a^ LU , 
that is, Z\ % a^ LU (Z 2 ) and Z 2 % a^ LU (Zi). 
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In our example of the automaton T> n , if in a path, x\ is reset before y\ then 
in the state (a„, a n , 60) we would have a zone that entails y\ < x\. Similarly if y\ 
is reset before x±, then the zone would entail x\ < y\. In each of these paths to 
(a„, a„, 60) clock X2 could be reset either before or after j/2 and so on for each Xi. 
There are at least 2™ paths leading to (a n , a n ,bo) each of them giving a different 
zone depending on the order of resets. Note that two zones are incomparable if 
a projection onto 2 clocks are incomparable. By the argument in the previous 
paragraph, each of the mentioned zones would be incomparable with respect to 
the other. Therefore there are at least 2™ uncovered nodes with state (a n , a n ,bo). 

a^ LU ,otf: As all the edges are enabled, the constant propagation algorithm would 
explore a path up to (a n , a n , b n ). This would therefore give L = U = 1 for each 
clock, similar to static analysis. So in this case too there would be at least 2 n 
uncovered nodes in the reachability tree obtained. 



6.2 Presence of disabled edges 

Consider the automaton A2 in Figure [6] One can see that the last transition 
with the upper bound is not fireable. The cause of the edge being disabled is 
because the value of w in all the valuations of Z 3 is bigger than 1. The cause of 
this increase is the first lower bound guard x > 5. At qx itself, all the valuations 
have w > 1. As w is never reset in the automaton, there is no way w can get 
lesser than 1 after passing this guard. Note that the guards y > 5 and z > 100 
do not play a role at all in the edge being disabled. Even if they had not been 
there, the edge would be disabled. 

> 100 /"""""N w < 2 /^~~~\ 

— (go ■ O = V = w > 0)) ~ ^ gi : (x = y = w > 5) ) " ~ fy q 2 ■ (x = y = w > 5) J ~ ) (q3~-- (x = y = w > 100) 



Fig. 6. A2- One edge disabled 




We want to capture this scenario by saying that at qo the relevant constants 
are: L (x) = 5 and Uq(x) = 1 and the rest are — oo. One can verify that Al- 
gorithm 1 1 . 1 1 would give exactly these constants. The static analysis algorithm 
or the constant propagation would give additionally L(y) = 5 and L(z) = 100, 
which we have seen are unnecessary. This way, we get smaller constants and 
hence bigger abstract zones. 

We will now see that this pruning can sometimes lead to an exponential gain. 
We will modify the example V n of Section |6.1| 

Let V n be the automaton shown in Figure [7] It is the same as V n ex- 
cept that now every guard involving y-clock is y == 2. Starting from a node 
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©X\ :— X2 '■— x„ := O.Bi := true*-** 
>• (ai) ► (02) > ■ 

©1/1 := y 2 := i/„ := 0,B 2 := trtie^~ 
►© ► ►© 

?; ■ ; >Q '>© > ' '>© 

Fig. 7. Automaton 2?^ 

((a n , a n , bo), Z, LU), it is possible to reach a node with state (a n , a n , b n ) only if 
Z entails a;, < for all i. If "fortunately", the order of exploration of the resets 
leads us to such a zone Z, then this path would yield no constants and hence 
the abstraction would give the true zone. Due to this there would not be any 
more exploration from (a„, a n ,bo) and we would have the number of uncovered 
nodes equal to number of states of automaton. 

If it is not the case, then there is an i such that jji < Xi and for all j < i, 
x% < Hi- Therefore, the path can be taken till after which the transition 
gets disabled because we check for > 2 and Xj < 1. The disabled edge gives 
the constant U(xi) = 1 and the propagation algorithm additionally generates 
L(yi) — 2 and propagates these two backwards. These are the relevant guards 
that cause the disabled edge. Since these are the only constants, in the future, 
exploration will not occur from a node ((a n , a n , bo), Z' , L'U') if Z' satisfies Xi < 
Hi as they will be covered. There will be at most n uncovered nodes with the 
state (a n ,a n ,bo) and hence the total number of uncovered nodes will be in size 
quadratic in n. 

Static analysis: The static analysis procedure would give L = U = 2 for all 
y-clocks and L = U = 1 for all x-clocks. A similar argument as in Section [O] 
would show at least 2™ uncovered nodes with state (a n , a n ,bo). 

&4Lu,otf: The otf bounds algorithm could work slightly different from the pre- 
vious case. The constants generated depend on the first path. If the first path 
leads up to (a n ,a n ,b n ) then there are constants generated for all clocks. Then, 
the zone cannot cover any of the future zones that appear at (a n ,a n ,b n ). A 
depth-first search algorithm would clearly then be exponential. Otherwise, if the 
path gets cut at bk-i constants are generated for all clocks x\, y\, . . . , Xk, Vk- In 
this case, at least 2 k nodes at (a n ,a n ,b ) need to be distinguished. 

7 Experiments 

We report experiments in Table [T] for classical benchmarks from the literature. 
The first two columns compare UPPAAL 4.1.13 with our own implementation 
of UPPAAL's algorithm (Extra^n >sa) . We have taken particular care to ensure 
that the two implementations deal with the same model and explore it in the 
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Model 


nb of 


UPPAAL (-C) 


Extra^u ,sa 




a^Lr/. disabled 




clocks 


no des 




no des 




nodes 




no des 




V" 

7 


14 


18654 


11.6 


18654 


8.1 


213 


0.0 


72 


0.0 


v'i 


16 










274 


0.0 


90 


0.0 




140 














5112 


1.9 


CSMA/CD 10 


11 


120845 


1.9 


120844 


6.3 


78604 


6.1 


74324 


6.1 


CSMA/CD 11 


12 


311310 


5.4 


311309 


16.8 


198669 


16.1 


188315 


15.9 


CSMA/CD 12 


13 


786447 


14.8 


786446 


44.0 


493582 


41.8 


469027 


40.9 


FDDI 50 


151 


12605 


52.9 


12606 


29.4 


5448 


14.7 


401 


0.8 


FDDI 70 


211 














561 


2.7 


FDDI 140 


421 














1121 


37.6 


Fischer 9 


9 


135485 


2.4 


135485 


8.9 


135485 


11.4 


135485 


24.7 


Fischer 10 


10 


447598 


10.1 


447598 


34.0 


447598 


42.8 


447598 


98.1 


Fischer 11 


11 


1464971 


40.4 


1464971 


126.8 










Stari 2 


7 


7870 


0.1 


6993 


0.4 


5779 


0.4 


5113 


0.5 


Stari 3 


10 


136632 


1.7 


113958 


9.4 


82182 


8.2 


53178 


7.8 


Stari 4 


13 


1323193 


26.2 


983593 


109.0 


602762 


84.9 


342801 


65.7 



Table 1. Comparison of reachability algorithms: number of visited nodes and running 
time. For each model and each algorithm, we kept the best of depth-first search and 
breadth-first search. Experiments done on a MacBook with 2.4GHz Intel Core Duo 
processor and 2GB of memory running MacOS X 10.6.8. Missing numbers are due to 
time out (150s) or memory out (1Gb). 



same way. However, on the last example (Stari), we did not manage to force the 
same search order in the two tools. 

The last two algorithms are using bounds propagation. In the third column 
(a^ Ltr ,otf), we report the results for the algorithm in [HKSW11 that propagates 
the bounds from every transition (enabled or disabled) that is encountered dur- 
ing the exploration of the zone graph. Since this algorithm only considers the 
bounds that are reachable in the zone graph, it generally visits less nodes than 
UPPAAL's algorithm. The last column (a^, LU , disabled) corresponds to the algo- 
rithm introduced in this paper. It propagates the bounds that come from the dis- 
abled transitions only. As a result it generally outperforms the other algorithms. 
The actual implementation of our algorithm is slightly more sophisticated than 
presented in Algorithm Similarly to UPPAAL, it uses a Passed/ Waiting list 
instead of a stack. The implemented algorithm is presented in Appendix [A] 

The results show a huge gain on two examples: T>" and FDDI. _D" corresponds 
to the automaton T> n in Fig. [6] where the tests xj. = 1,2/fe = 1 have been replaced 
by (0 < Xk < 1), (1 < Dk < 2). While it was easier in Section [6] to analyze the 
example with equality tests, we wanted here to show that the same performance 
gain occurs also when static L bounds are different from static U bounds. The 
number of nodes visited by algorithm a^ LU , disabled exactly corresponds to the 
number of states in the timed automaton. The situation with the FDDI example 
is similar: it has only one disabled transition. The other three algorithms take 
useless clock bounds into account. As a result they quickly face a combinatorial 
explosion in the number of visited nodes. We managed to analyze T>'^ up to 
n = 70 and FDDI up to size 140 despite the huge number of clocks 

Fischer example represents the worst case scenario for our algorithm. Dy- 
namic bounds calculated by algorithms a^ ic/ ,otf and a^, LU , disabled turn out to 
be the same L£/-bounds given by static analysis. 
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The last two models, CSMA/CD and Stari |BMT99j show the average situ- 
ation. The interest of Stari is that it is a very complex example with both a big 
discrete part and big continuous part. The model is exactly the one presented 
in op. cit. but for a fixed initial state. Algorithm a,^, disabled discards many 
clock bounds by considering disabled transitions only. This leads to a significant 
gain in the number of visited nodes at a reasonable cost. 

8 Conclusions 

We have pursued an idea of adapting abstractions while searching through the 
reachability space of a timed automaton. Our objective has been to obtain as 
low LU -bounds as possible without sacrificing practicability of the approach. In 
the end, the experimental results show that algorithm a^ LU , disabled improves 
substantially the state-of-the art algorithms for the reachability problem in timed 
automata. 

At first sight, a more refined approach would be to work with constraints 
themselves instead of /[/-abstractions. Following the pattern presented here, 
when encountering a disabled transition, one could take a constraint that makes 
it disabled, and then propagate this constraint backwards using, say, weakest 
precondition operation. A major obstacle in implementing this approach is the 
covering condition, like G3 in our case. When a node is covered, a loop is formed 
in the abstract system. To ensure soundness, the abstraction in a covered node 
should be an invariant of this loop. A way out of this problem can be to consider 
a different covering condition as proposed by McMillan |McM06] . but then this 
condition requires to develop the abstract model much more than we do. So 
from this perspective we can see that /[/-bounds are a very interesting tool to 
get a loop invariant cheaply, and offer a good balance between expressivity and 
algorithmic effectiveness. 

We do not make any claim about optimality of our backward propagation 
algorithm. For example, one can see that it gives different results depending on 
the order of treating the constraints. Even for a single constraint, our algorithm 
is not optimal in a sense that there are examples when we could obtain smaller 
/[/-bounds. At present we do not know if it is possible to compute optimal 
L[/-bounds efficiently. In our opinion though, it will be even more interesting to 
look at ways of cleverly rearranging transitions of an automaton to limit bounds 
propagation even further. Another promising improvement is to introduce some 
partial order techniques, like parallelized interleaving from jMPSllj . We think 
that the propagation mechanisms presented here are well adapted to such meth- 
ods. 
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A Implementation of Algorithm a^ LU , disabled 

Algorithm |l.3| gives an overview of UPPAAL's algorithm. It takes as inpulQ a 
zone graph and searches for a reachable accepting state. When a new node is 
expanded (1. 11), it is first checked if it is covered by a visited node (1. 15). If 
so, then it does not need to be explored. If not, all the nodes that are covered 
by the new node are removed (1. 20-21) before the new node is inserted to save 
memory and time. 

In order to ensure the termination of the algorithm, the zones are abstracted 
with an extrapolation operator (e.g. .ErfraJ^ [BBLP06 ) that guarantees a finite 
number of abstracted zones. The abstraction parameters are clock bounds LU. 
They are obtained by a static analysis of the timed automaton|BBFL03 . 

Algorithm 1.3. UPPAAL's algorithm. 

P := // Passed list (visited nodes) 

W := // Waiting list (W is included in P) 

function main ( ) : // input: zone graph ZG=(vq , V ,— > ) 
insertPW (vo ) 

while (W is not empty) do 
pick a node v from W 
if (v.q is accepting) 

return 1 ' not empty ' ' 
for each transition v — > v' in ZG do 
insertPW («') 
return 1 'empty' ' 

function insertPW(«): 

if (3d' £ P s.t. v.q = v'.q and v.ZCv'.Z) 

II don't add v as it is covered by v' 

return 
else 

// remove all nodes v' covered by v 
for each v £ P s.t. v .q = v.q and v .Z C v.Z do 
remove v from P and from W 



3 The implementation builds the zone graph on-the-fly from a timed automaton taken 
as input. 
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/ / insert v 

insert v in P and in W 



Our algorithm a^ LU .disabled is built on top of UPPAAL's algorithm. It is 
depicted in Algorithm |1.4| The main difference is that it computes dynamic 
Z/£/-bounds that are used to stop the exploration earlier. The dynamic bounds 
are used in 1. 15. We avoid exploring a node if it is covered by a visited node 
w.r.t. dynamic bounds and abstraction a^ LU . If the node is not covered, then 
its bounds are updated w.r.t. the transitions that are disabled from that node 
(1. 21) and the node is explored (1. 24). 

The algorithm computes an adaptive simulation graph (see Definition [9| 
and a covering relation <]. The tentative nodes in Definition [9] are the nodes 
v that are covered by some node v', that is: v < v' . The algorithm propagates 
the bounds and it updates and < in order to maintain the invariants in 
Definition |9l 

As the bounds are propagated over the graph ~~>, some covering edge v' < v 
may become invalid. This is checked in line 50. When the bounds in v' have to 
be updated from the bounds in the covering node v, it is first checked if v' is 
still covered by v. If it is not the case, v' is put in the list of waiting nodes and 
it will be considered again later. 

The propagation of clock bounds relies on function newbounds given in Al- 
gorithm 1 1 . 2 1 

Algorithm 1.4. Algorithm a^ L u, disabled. 



// Assumptions: no lower bound atomic guards d < x in invariants 
/ / no atomic guard x < 

P := // Passed list (visited nodes) 
W := // Waiting list (W is included in P) 
< := // Covering relation wrt dynamic bounds 
~-» := // Propagation relation 

function main ( ) : // input: zone graph ZG=(vo , V ,— > ) 
insertPW (vo ) 

while (W is not empty) do 
pick a node v from W 
if (v.q is accepting) 

return ' ' not empty ' ' 
if (3v'£(P\W) uncovered st v.q = v'.q and v.Z C a^„' LU (v'.Z) ) 

add v <iv' and v' «•» v 

v.LU := v'.LU 

(Xl,Xu) := bounds modified during the copy 
propagate (v , Xl , Xu) 
else 

v.LU := disabled (v) 

(Xl,Xu) := active clocks in v.LU 

propagate (v , Xl , Xu) 

for each transition v — > v' in ZG do 
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add v' ~~> v 
insertPW (V ) 
return ' ' empty ' ' 

function insertPW («) : 

if (3v e P s.t. v.q = v'.q and v.ZCv'.Z) 

If v is covered by v' wrt static bounds 
replace all v ~-> v" by v' ~* v" 
else 

// remove all nodes v' covered by v wrt static bounds 
for each v' £ P s.t. v' .q = v.q and v' .Z C u.Z do 

remove «' from P and from W 

replace all v' ~* v" by v v" 

remove all v" v' 

if (3v" e P st w'<«") 
remove v' < v" 

else 

for each v" £ P st v" < v' do 
remove «" < v' 
insert v" in W 
insert v in P and in W 

function propagate (v , Xl , Xjj ) : 
for each v' st v v' do 

if (v'<v) II propagation due to a covering edge 
if (v'.Z C a^ v .Lu(v-Z)) II v' still covered by v 
v'.LU := v.LU 

{X' L ,X{j) := bounds modified during the copy 
else // v' is not covered by v anymore 

v'.LU := x^-oo; (X' L ,X[j) := (0,0) 

insert v' in W 
else // propagation due to a transition in ZG 

let t be the transition q' A q that corresponds to v ~+ v' 
(gi,g u ,R) := decompose(t) 

(LtU t ,Xi,Xl) : = backwardLU(Z', g t , ffu , P, v.LU , X L , X„) 
i/.L[7 := max(«'.P(7, L t {/ t ) 

:= bounds modified by maximization 
if (X' L =£% or X^0) 
propagate («' , X' L , X' v ) 

function disabled («): 

L := x <-¥ — oo ; 17 := a; <-¥ — oo 

for each transition t from v.q that is disabled from v.Z do 
(gi,g u ,R) :— decompose (t) // lower bounds , upper bounds , reset 
choose an atomic guard w < d in g u disabled from v.Z A gi 
Ld '■= x i y — oo ; := id 4d, I 4 — oo (x 7^ to) 
(LtUt,X L ,X u ) := backwardLU (v.Z , 5;, true, 0, L d U d , 0, {a;}) 
Lt/ := max(L[/, L t J7 t ) 

return LU 
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function decompose (t ) : 

let t — (I,g,R,I') II src inv , guard, reset , tgt inv 
g' := gM 

add to g' all the atomic guard x < d from I' st x^R 
let g{ be the lower— bound atomic guards d < x in g' 
let g' u be the upper— bound atomic guards x<d in g' 
return (g[,g' u ,R) 

function backwardLU ( Z , gi , g u , R, LU , Xl , Xu)- 
let a := Z — > Z > Z 

update LU , Xl and Xu applying newbounds on Z' 9 "'" R > Z" 
update LU , Xl and Xu applying newbounds on Z Z' 
return (LU,X L ,X U ) 



